From owner-freebsd-net@FreeBSD.ORG Thu Oct 20 20:53:42 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2855316A41F for ; Thu, 20 Oct 2005 20:53:42 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from tce71.tce85.de (tce71.tce85.de [195.145.102.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB30143D5A for ; Thu, 20 Oct 2005 20:53:39 +0000 (GMT) (envelope-from volker@vwsoft.com) Received-SPF: unknown (tce71.tce85.de: error in processing during lookup of domain of vwsoft.com: Could not find a valid SPF record) client-ip=87.193.6.91; envelope-from=volker@vwsoft.com; helo=mail.vtec.ipme.de; Received: from mail.vtec.ipme.de (unknown [87.193.6.91]) by tce71.tce85.de (Postfix) with ESMTP id 2A74617137 for ; Thu, 20 Oct 2005 22:53:51 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 3845D5C0E for ; Thu, 20 Oct 2005 22:12:08 +0200 (CEST) Message-ID: <4358082A.4060409@vwsoft.com> Date: Thu, 20 Oct 2005 22:12:10 +0100 From: Volker User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Thunderbird/1.0.6 Mnenhy/0.6.0.101 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.92.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-TarmacCE-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com Subject: IPSec session stalls X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Oct 2005 20:53:42 -0000 Hi! A few days ago I've managed to setup two IPSec tunnels (3 machines involved) between FreeBSD 5.4R hosts. While I do not fully understand all the options and knobs of IPSec, it was easy to setup (thanks to the handbook guys!). As the tunnels work properly in the first place, there's one issue (on both tunnels). Whenever there's a large amount of traffic per tcp or udp session, the tcp or udp session stalls. For example, I've tried to scp a 1.4M file through one of these tunnels, scp starts to transfer the file and stalls exactly at 49152 bytes being transfered. PcAnywhere (using udp) sessions going through the tunnel work for a few minutes and then the PcAw connection breaks between host and remote. I guess both issues are equal as it generates a lot of traffic in the tunnel. The tunnel itself seems to be stable. I've tried to scp a huge file and ping'ed the other host in another session and no packet loss did appear. what I did: - gif tunnel created on both sides - spd policies setup to encrypt (ipencap) traffic between both machines (in + out) - racoon installed and key timelife set to 1 hour - route set into the tunnel The racoon debug output did not show anything which would lead me to an issue with racoon. Where do I have to look for? How do I debug this problem? Did anybody experience similar problems? Thanks, Volker